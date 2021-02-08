



Google’s new website aims to address issues related to triage of newly discovered bugs through automation.

Image: Getty Images / iStockphoto

Google has launched an open source vulnerability (OSV) website to help you triage bugs in open source projects and provide a vulnerability database to help open source maintainers and consumers.

Google claims that users of open source software have difficulty mapping vulnerabilities such as the Common Vulnerabilities and Exposures entry to the package version they are using. This is because the version control scheme of the existing vulnerability standard does not map well with the actual open source version control scheme. , Usually a version / tag, commits a hash. “As a result, we are missing out on vulnerabilities that affect downstream consumers,” he warns.

Google is already sponsoring an open source project, migrating from buggy C code to Rust, a memory-safe programming language. Last week, we also proposed a framework for the open source community to decide which projects should be considered “important” and stricter rules for developers contributing to these projects.

OSV aims to address issues related to triage of newly discovered bugs through automation.

“For open source maintainers, OSV automation helps ease the burden of triage. Each vulnerability undergoes automated dilemma and impact analysis to determine the exact commit and version range affected. “I will.” Google said.

“Similarly, after the vulnerability has been fixed, it is the maintainer who, in addition to the processes required for publishing, determines the exact list of affected versions and commits on all branches of downstream consumers. Unfortunately, many open source projects (including projects) are critical to modern infrastructure, lacking resources and overworking. Maintainers are concerned about vulnerabilities, if necessary. You don’t always have the bandwidth to create and publish complete and accurate information.

“We work with the open source community to extend data from different language ecosystems (NPM, PyPI, etc.) and build a pipeline for package maintainers to submit vulnerabilities with minimal effort. I’m planning to do that. “

Google’s efforts reflect Microsoft’s open source security initiative via GitHub, which aims to accelerate repairs through tools such as Microsoft Teams.

According to Google, OSV “is intended to provide accurate data on where the vulnerabilities occurred and where they were fixed. Whether users of open source software are affected by this. You can pinpoint and fix security as quickly as possible. “

Currently, this feed contains a vulnerability in OSS-Fuzz, a bot created to investigate bugs in open source software. Most of the bugs submitted to OSV are from C and C ++ code.

OSS-Fuzz is a successful program at Google that helped us discover thousands of bugs in major open source projects. Fuzzing involves throwing code into your application to crash your program.

OSV is another step in Google’s efforts to improve the security of open source software development in the light of these recent supply chain attacks. Google wants the community to agree on what important projects are and apply stricter rules to the maintainers of those projects. It’s just a discussion, but the company wants the industry to improve vulnerability management in open source software development.

However, it lists over 380 open source software projects that are considered important and works with the package distribution platform to improve vulnerability management.

“Vulnerability management is a pain for both consumers and maintainers of open source software and often involves tedious manual labor,” Google said.

